high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Please read the instructions for removing W32/Frethem-Fam.
More Information
W32/Frethem-Fam is a family of email-aware worms.
The worm arrives in an email with one of the following sets of characteristics:
Subject line: Re: Do your Windows looks like Windows XP? I have found very nice desktop themes!
Message text:
Hello!
Do you like modern design of new Windows XP?! I have found FREE and easy to use desktop themes! You can open attach with website and samples! Enjoy it!!!
Attached file: www.freedesktopthemes.exe
or
Subject line: Re: Your password!
Attached files: Your password placed in password.txt password.exe, password.txt
The message text is blank.
Your password placed in password.txt password.exe is a copy of the worm and password.txt is a text file containing the text "Your password is W8dqwq8q918213".
or
Subject line: Re: Your password!
Message text:
ATTENTION!
You can access
very important
information by
this password
DO NOT SAVE
password to disk
use your mind
now press
cancel
Attached files: decrypt-password.exe, password.txt
Decrypt-password.exe is a copy of the worm and password.txt is a text file containing the text "Your password is W8dqwq8q918213".
The worm uses a MIME header vulnerability and an IFRAME vulnerability so that the attached file is run automatically when the email is viewed on unpatched Microsoft email clients.
Upon execution the worm copies itself to
C:\Windows\Start Menu\Programs\Startup as setup.exe and runs in the background as a process of the same name. Alternatively, for a computer with multi-user setting enabled, the worm could copy itself to
<user profile path>\Start Menu\Programs\Startup. These changes allow the worm to be run automatically next time the computer is restarted or when the same user logs in again.
Some variants of the worm also create a copy of themselves in the Windows folder with the name taskbar.exe. In this case the worm will create the following registry entry to allow the worm to run when Windows is started up:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Task Bar
The trigger condition for the mass-mailing behaviour is dependent on certain dates and the time zone. When triggered, the worm obtains information about the SMTP server from the following registry entry:
HKCU\Software\Microsoft\Internet Account Manager\Accounts\00000001
The worm then sends itself to contacts found in DBX, WAB, MBX, EML, MDB and DAT files (or from DBX files and the Windows Address Book) using its own SMTP engine.
Besides mass-mailing itself, the worm also sends HTTP requests to some CGI scripts located at various remote locations. However, at the time of writing these scripts are no longer available and hence this does not pose a threat.
|
